On Wed, May 28, 2025 at 5:52 PM Chris Adams <li...@cmadams.net> wrote: > > Once upon a time, Michael Catanzaro <mcatanz...@redhat.com> said: > > On Wed, May 28 2025 at 03:19:49 PM -05:00:00, Chris Adams > > <li...@cmadams.net> wrote: > > >So it's been another month and this still isn't resolved. I know > > >people > > >on the Fedora side have been trying (don't want to complain about > > >effort). But if Fedora can't reliably get timely updates to a package > > >that has high security implications, it should NOT be enabled by > > >default, or even shipped by Fedora at all. > > > > Well you're not wrong. The risk level here is considerable. > > > > But without this package, users can't play videos, and there's > > nothing we can do about that other than point to RPM Fusion and hope > > they can figure out how to get what they need from there, which is > > not easy. So the consequences of dropping it are also considerable. > > Rock and hard place and all that. > > This package is for playing one particular encoding of videos (and only > certain profiles of that encoding from what I understand). There's also > nothing preventing Fedora from pointing users to Cisco's site to get > their provided binaries. > > There are always decisions between security and convenience, and Fedora > has typically gone for security (e.g. things like continually raising > the crypto policies). Leaving desktop users open to a high-rated CVE > for three months (and counting), in the name of convenience, is rather > bad IMHO.
Honestly, we don't really push for security like that. We have generally provided optionality, but that doesn't mean we want security to outweigh our community and usability. The crypto policies is an example of the problems caused by pushing security above everything else, as we wound up with several releases in a row of the package manager being broken because RPM could no longer verify Google Chrome's GPG keys (among other things). -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
